diff options
| author | Shrikant Bobade <shrikant_bobade@mentor.com> | 2015-08-03 19:04:37 +0530 |
|---|---|---|
| committer | Joe MacDonald <joe_macdonald@mentor.com> | 2015-08-07 17:33:21 -0400 |
| commit | 6a775bb8ed866fac87f2a9b11a8ff11988a40ac6 (patch) | |
| tree | 4373dff0fef6f2ef4b7b8c8a7289d10bfc11d2cf /recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch | |
| parent | e59f3b7d04bea0a8897a6458f5f5427a364d3388 (diff) | |
| download | meta-selinux-6a775bb8ed866fac87f2a9b11a8ff11988a40ac6.tar.gz | |
refpolicy git: update refpolicy to git repository
A straight update from refpolicy 2.20140311 to refpolicy git
repository for the core policy variants and forward-porting
of policy patches as appropriate.
This approach is useful for building refpolicy & refpolicy-contrib
directly from the git repos, rather than release tarballs.
It helps to check the refpolicy based on source commits by just
updating the git repo rev. as appropriate in refpolicy_git.inc
ref: https://github.com/TresysTechnology/refpolicy/wiki
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch')
| -rw-r--r-- | recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch new file mode 100644 index 0000000..49da4b6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch | |||
| @@ -0,0 +1,39 @@ | |||
| 1 | From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Roy Li <rongqing.li@windriver.com> | ||
| 3 | Date: Mon, 10 Feb 2014 18:10:12 +0800 | ||
| 4 | Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels | ||
| 5 | |||
| 6 | Proftpd will create file under /var/run, but its mls is in high, and | ||
| 7 | can not write to lowlevel | ||
| 8 | |||
| 9 | Upstream-Status: Pending | ||
| 10 | |||
| 11 | type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir | ||
| 12 | type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir | ||
| 13 | type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null) | ||
| 14 | |||
| 15 | root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name | ||
| 16 | allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; | ||
| 17 | root@localhost:~# | ||
| 18 | |||
| 19 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
| 20 | --- | ||
| 21 | policy/modules/contrib/ftp.te | 2 ++ | ||
| 22 | 1 file changed, 2 insertions(+) | ||
| 23 | |||
| 24 | diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te | ||
| 25 | index 544c512..12a31dd 100644 | ||
| 26 | --- a/policy/modules/contrib/ftp.te | ||
| 27 | +++ b/policy/modules/contrib/ftp.te | ||
| 28 | @@ -144,6 +144,8 @@ role ftpdctl_roles types ftpdctl_t; | ||
| 29 | type ftpdctl_tmp_t; | ||
| 30 | files_tmp_file(ftpdctl_tmp_t) | ||
| 31 | |||
| 32 | +mls_file_write_all_levels(ftpd_t) | ||
| 33 | + | ||
| 34 | type sftpd_t; | ||
| 35 | domain_type(sftpd_t) | ||
| 36 | role system_r types sftpd_t; | ||
| 37 | -- | ||
| 38 | 1.7.10.4 | ||
| 39 | |||